1. Field of the Invention
The present invention relates to data protection systems and methods, and in particular to a system and method for preventing compromise of data stored in a memory due to data remanence.
2. Description of the Related Art
One possible avenue to obtain access to otherwise secure data is to carefully scan the storage media or memory for data that was incompletely deleted from the data storage device. Incomplete erasure of data is a problem with both magnetic and optical storage media and electronic semiconductor memory. Such incomplete erasure arises from magnetic persistence in magnetic media and deformations in optical media. In semiconductors, remanence can have serious affects on volatile random access memory (RAM) and non-volatile memory (Flash) technologies. Remanence is known to be influenced by hot-carrier effects (which charges the semiconductor devices), electro-migration (which physically changes the semiconductor devices), and environmental dependencies affecting remanence including voltage and temperature.
Data remanence issues can be solved using techniques that range from performing repetitive read and write operations of known data patterns to memories and the development of new semiconductor technologies.
An effective way to avoid short-term data retention is to ensure that no memory cell can hold a quantity of data for more than a certain amount of time. Similarly, an effective way to avoid long-term storage effects is to periodically flip the stored data bits as suggested in the 1996 paper (Titled “Secure Deletion of Data from Magnetic and Solid-State Memory”, Peter Gutmann, Proceedings of the 6th Usenix Security Symposium, July 1996, p. 77.) so that each cell never holds a value long enough for it to be permanently or temporarily “remembered”. Although impractical for large amounts of data, this may be feasible for small amounts of sensitive data such as cryptographic key variables.
Long-term retention effects are most likely to occur when the same data is repeatedly fed through a specialized circuit. For example, in cryptography there may be a repeated use of an identical private key variable in a cryptographic circuit that performs an encryption algorithm. This condition is common in specialized cryptographic circuits, as opposed to general-purpose processor circuits, which constantly processes all sorts of different data types that cannot be distinguished at any given time. In contrast, a private key stored in a tamper resistant hardware circuit that is input repeatedly by a cryptographic processor will lead to some circuits (and signals) always carrying the same information and leading to pronounced long-term hot-carrier degradation and electro-migration effects.
One method of actively reducing the effects of electro-migration (as opposed to passively allowing the memory to revert back to its un-programmed ‘ground’ state) is to apply a reverse-current, which reverses the electro-migration stress, effectively undoing the electro-migration damage. Similar techniques are already used in some EEPROM/Flash devices to reduce repeated erasure stress by applying a reverse-polarity pulse after an erase pulse.
A somewhat more complex and difficult-to-implement approach is to have a cryptographic processor write known false ‘dummy’ data to memory when it isn't processing real sensitive data or keys. A disadvantage of this method is it requires that a crypto operation be interruptible once started. Unfortunately, alternating dummy and real data is complicated by the design of typical crypto devices.
High-assurance security methods may also include encryption of the active data in working memory. This method might just be a deterrence, since a similar (as a matter of fact, perhaps even more critical and more elaborate) protection must be provided for the vital secret parameters (crypto variables, credentials, etc.) in conjunction with encrypting the data. If encryption of the memory is performed without protecting the vital secret parameters, the encrypted data could still be vulnerable to attacks, because if the critical secrets were recovered, the encrypted data can thus be decrypted.
Another solution to this problem is to use zeroization techniques to erase the cryptographic variables under appropriate circumstances. This provides limited security protection if not performed effectively or quickly. Federal Information Processing Standard 140-2 (FIPS 140-2) specifies the requirement for zeroizing plain text data and keys but does not specify the method of performing such action, when such action should take place or how this requirement is to be implemented.
However, the foregoing solutions are limited in their application and/or effectiveness. For example, the continuous flipping of data is impractical for larger data sets. Zeroizing data is effective, but is vulnerable to malicious software and hardware intervention. Both zeroization and reverse current techniques are typically performed at slower speeds by the same processors that are used in normal operational modes. This limits their effectiveness, and current random access memory (RAM) and FLASH memory technologies are moving to still higher speeds.
Using alternative data processing techniques such as key switching incurs the overhead of a key schedule. Further, pipelined implementations of block ciphers are generally not interruptible, and require completion of processing of the current block (and in some cases several more blocks to force the data pipeline to be flushed) before a key change can take effect.
Further, the foregoing techniques are difficult to implement in systems having high-performance computing platforms and associated memories that are decoupled from the computer motherboard. Such designs are also expected to become more commonplace.
References discussing data remanence and methods to ameliorate it include “Data Remanence in Semiconductor Devices”, Peter Gutmann, IBM T.J. Watson Research Center, Proceedings of the 10th USENIX Security Symposium, Washington, D.C., USA—Aug. 13-17, 2001; “Relation between the hot carrier lifetime of transistors and CMOS SRAM products”, Jacob van der Pol and Jan Koomen, Proceedings of the International Reliabily Physics Symposium (IRPS 1990), April 1990, p. 178; “Hot-carrier-induced Circuit Degradation in Actual DRAM”, Yoonjong Huh, Dooyoung Yang, Hyungsoon Shin, and Yungkwon Sung, Proceedings of the International Reliabiliy Physics Symposium (IRPS 1995), April 1995, p. 72; “Metal Electromigration Damage Healing Under Bidirectional Current Stress”, Jiang Tao, Nathan Cheung, and Chenming Ho, IEEE Electron Device Letters, Vol. 14, No. 12 (December 1993), p. 554; “An Electromigration Failure Model for Interconnects Under Pulsed and Bidirectional Current Stressing”, Jiang Tao, Nathan Cheung, and Chenming Ho, IEEE Transactions on Electron Devices, Vol. 41, No. 4 (April 1994), p. 539; “New Write/Erase Operation Technology for Flash EEPROM Cells to Improve the Read Disturb Characteristics”, Tetsuo Endoh, Hirohisa Iizuka, Riichirou Shirota, and Fujio Masuoka, IEICE Transactions on Electron Devices, Vol. E80-C, No. 10 (October 1997), p. 1317; and “Security Requirements for Cryptographic Modules”, Federal Information Processing Standards Publication, FIPS PUB 140-2 (May 25, 2001), all of which are hereby incorporated by reference herein.
Accordingly, there is a need for a system and method for protecting stored data that avoids the need to constantly flip data within a large memory space, can be performed reliably high speeds, does not require constant processing of alternative data, allows flexibility in the use of memory modules and in modifying external interfaces between the CPU and the memories, and provides adequate security from malicious software while not requiring that the crypto or general purpose processor used with the memory be a trusted processor. The present invention satisfies that need by providing hardware-based protection that provides higher assurance data zeroization techniques deterring data recovery from semiconductor RAM devices (due to remanence) that can be implemented into conventional computing platforms, without having the expense of inventing new semiconductor technologies.